The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

All Long Island chapter meetings are free. Please water our calendar for up coming events.

St. Cloud State University wins OWASP AppSec USA 2011 University ChallengePosted by boss on Wednesday, 19 October 2011 @ 08:20:17 CEST (2440 reads)TopicVulnerabilities

Seven St. Cloud State students won the Open Web Application Security Project AppSec USA 2011 University Challenge held at the Minneapolis Convention Center Sep. 21-22. The winners are majoring in Network Information Security at the Computer Networking and Applications (IT) program.

"This is another great achievement by students in the CNA (IT) program after winning the Minnesota Cyber Defense competition in March," said Tirthankar Ghosh, associate professor at the Department of Computer Science and Information Technology. "This is a moment of pride for all of us, a moment of pride for SCSU."

The St. Cloud State team not only won the overall competition but also scored the highest on the "attack portion" of this application security university challenge. The competition was divided into two challenges – security penetration and security defense. In the first challenge, the students had to break into a number of websites provided to them, identify their security vulnerabilities and suggest solutions to fix them. In the second challenge, the teams had to set up a virtual store, identify any weaknesses in the code and resolve them by providing new programming changes to the code.

"These challenges gave us a well-rounded experience of a security professional, both with being able to attack as well as to defend web applications," said junior Joshua Platz, St. Cloud.

NOTE FROM CLEMENT:Another busy week for DataLossDB, see below mistakes done by companies that lead them to be facing negative publicity, huge losses, and other colateral damage. It seems the list is not getting any smaller. The threat is real and you must address issues such as internal employees, human errors, and other soft issues that can make you loose a large amount of money. See the lates email sent by DataLossDB below:

DataLossDB is a research project aimed at documenting known and reported data loss incidents world-wide. The Open Security Foundation asks for contributions of new incidents and new data for existing incidents. For any questions about the project or the data contained within this email or the website (http://www.datalossdb.org), please contact us at[email protected].

==============================================

Incidents Added

Reported Date: 2010-10-29 Summary: Students names, grades and Social Security numbers of 40,101 left exposed on a server for nearly a year Organizations: University of Hawaiihttp://datalossdb.org/incidents/3230 ---------------------

Spanish authorities investigating the crash of Spanair flight 5022 in Madrid have found that malware may have contributed to the accident, which occurred two years ago, killing 154 people on board. Only 18 survived the crash and subsequent fire.

The Spanish agency charged with investigating the accident has listed the official cause as pilot error, because the pilots failed to extend the MD-80 airplane's takeoff flaps and slats, which would have helped the airplane to rise. Instead, the plane stalled just seconds after takeoff.

But the agency also found that a warning alarm meant to ensure that the pilots didn't leave the flaps and slats retracted failed to sound, and that the warning had failed to sound on two previous occasions.

According to Spanish daily El Pais, those failures, which were non-trivial, should each have been immediately logged in a maintenance system, which would have spotted the recurring fault and triggered an alarm at the airline's headquarters in Palma de Mallorca, keeping the plane grounded until the issue was fixed.

But authorities say that the maintenance system had been infected by a Trojan application, rendering the monitor useless. In addition, two engineers currently under investigation for manslaughter apparently failed to log the device faults, even though under company policies they were required to do so immediately. When they did attempt to enter the faults, the plane had already crashed, at which point they found that the monitoring system apparently wasn't working.

The judge, Juan David Perez, has demanded that the airline turn over copies of all entries in the maintenance system from the days before and after the crash.

"I am not a pilot, so I cannot speak with authority on how to fly a passenger airliner, but it seems clear to me that this accident was caused by the failure of a number of controls leading to a disastrous outcome," wrote Rick Wanner of the SANS Internet Storm Center, on his blog. "Clearly the SpanAir diagnostic system (a detective control) designed to detect anomalies in the airliners system failed, possibly due to a Trojan. Also it appears the pilots bypassed part of their pre-takeoff checklist, leaving the flaps and slats in a position not recommended for takeoff."

"This one all boils down to inadequate training and a lack of professional behavior," said a responder to Wanner's post, citing 25 years of jet avionics experience. "They had to have had ample indications that certain systems were not working, they didn't follow the checklists and they didn't abort when they failed to reach certain speeds at certain points during the takeoff roll."

Nmap is really the mother of all port scanners. It can help you on the defensive side to identify ports that are currently open, new IP's that have just shown up in your production environment, ports that are either added, deleted, or modified on your hosts. Find what is happening to your servers as soon as changes manifest themselves. This is really a great tool for regular scanning and discovery of port and services that should or should not be on your servers. This book is written by Fyodor the author of Nmap, there is nobody else that knows Nmap better then Fyodor. I highly recommend it to all. See announcement below from Fyodor:

Nmap Hackers:

After promising you a book on Nmap for years, I'm delighted to finally announce the release of Nmap Network Scanning! It contains everything I've learned about network scanning from more than a decade of Nmap development, plus some bad jokes and (over Time Warner's written objections) pictures of Trinity hacking the Matrix :) . Here is the abstract:

Nmap Network Scanning is the official guide to the Nmap Security Scanner, a free and open source utility used by millions of people for network discovery, administration, and security auditing. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book by Nmap's original author suits all levels of security and networking professionals. The reference guide documents every Nmap feature and option, while the remainder demonstrates how to apply them to quickly solve real-world tasks. Examples and diagrams show actual communication on the wire. Topics include subverting firewalls and intrusion detection systems, optimizing Nmap performance, and automating common networking tasks with the Nmap Scripting Engine.

The planned release date was January 1, but Amazon beat the deadline and is now shipping in time for Christmas! Imagine your loved one's surprise when she (or he) finds nearly 500 pages of port scanningbliss in her stocking!

It is available on the International Amazon sites too, as well as other online retailers. Your local book store probably doesn't have it yet, but can likely order it for you.

About half of the content is available free online at http://nmap.org/book/toc.html . Chapters exclusive to the print edition include "Detecting and Subverting Firewalls and Intrusion Detection Systems", "Optimizing Nmap Performance", "Port Scanning Techniques and Algorithms", "Host Discovery (Ping Scanning)", and more.

If you enjoy the book, please help spread the word! While my previous books were published by Addison-Wesley and Syngress, this one was self-published. While that allowed me to post half the book online before it was even released, it also means I lose the marketing budget and clout of a major publisher. So if you like the book, please post a review to your blog/site/Amazon or tell your friends about it!

Apparently there was some pent-up demand for the book, as it is currently the 11th best-selling computer book on Amazon. Maybe it will be even higher by the time you read this:

We do get trained on remnants left of storage devices and how to sanitize them before reusing them for other purposes, however it seems the training should include sanitizing devices as well. See a great story below from the UK below, I am sure we could do just as well in the states:

A security expert discovered a VPN device bought on Ebay automatically connected to a local council's confidential servers.

Andrew Mason bought the Cisco VPN 3002 Concentrator - a device on which he has written a tutorial book - on Ebay for only 99 pence, with the intention of using it at work.

However, when he plugged it in it automatically connected him directly to Kirklees Council's central servers, circumventing security with the login details which had been carelessly left on the device.

"It instantly connected me, and I had full network access," explains Mason. "I understand the law extremely well and at that point disconnected," adds the intrusion-detection professional.

Despite contacting the council about the matter, no action was taken. "They ignored me at first," says Mason, before explaining that following coverage on the BBC website, access from the device has been shut off.

He admits that there could well be more devices out there, from which access is still possible, and exceedingly simple. "The whole selling point of the device was that it was extremely easy to configure. It's pretty horrific really," says Mason.

The council says it is "deeply concerned" by the news, but is confident that "multiple layers of security have prevented access to systems and data."

"In the meantime the disposal process has been suspended until an investigation can be carried out and appropriate action taken," says a council spokesman.

Do you backup ALL of you data? It could cost you Billions if you don'tPosted by boss on Thursday, 29 March 2007 @ 11:41:41 CEST (2713 reads)TopicVulnerabilities

March 28, 2007 (Computerworld) Anyone remotely associated with IT has by now read at least one account of the data loss suffered by the state of Alaska relating to their Permanent Fund Dividend. As more details emerge (see "Oil revenue gets baked in Alaska "), I am beginning to feel a bit like Bill Murray in "Ground Hog Day". Or, to quote this Red Sox fan's favorite Yankee, Yogi Berra, "it's déjà vu all over again."

This story, or a similar variant, has been repeated numerous times in organizations of all shapes and sizes, albeit usually without the number $38 billion linked to it. I just feel sorry for the poor guys involved - most of the time this type of screw-up isn't covered by Fox News, CNN, and the Associated Press. Giga-dollars aside, identical exposures exist today within many data centers.

One particular facet of the story caught my eye. Initial reports suggested that after the primary and secondary disk information was lost, attempts to recover from tape were unsuccessful because the "backup tapes were unreadable." Here we go again - blame tape! If only they had backed up to disk. Wrong. It turns out that the backup tapes were NOT unreadable because there were NO backup tapes. It seems that due to a process glitch, this particular data set was not being backed up.

With today's backup reporting tools, there is no excuse for repeated failed backups being undetected. However, there still remains a major gap in many data protection strategies: unknown or orphan systems. For a backup to "fail," it has to at least have been scheduled to run. If a system is brought online and never entered into the backup pool, or additional volumes are allocated to a system, but never added to the backup "include" list, there is technically no failure from the backup application's perspective. As appears to have been the case here, and we have seen elsewhere, this omission went undetected until it was too late.

Accounting for orphan systems is an arduous task. Some reporting applications attempt to provide information through activities such as network probing (often to the chagrin of the network security folks as this looks like an intrusion), but even this requires significant effort to filter out "noise" (i.e. printers and other non-server devices, multiple NIC cards in a given device) and then to manually reconcile what is and isn't being backed up and why. Finding orphan volumes is even harder, which is why, at a minimum, we typically recommend configuring backup applications to include all local volumes.

A colleague of mine likes to talk of strategic use of policy and tactical use of technology. All too often organizations, try to make the strategy about the technology. Once again, we see that it is no substitute for well thought out policy and process.

Jim Damoulakis is chief technology officer of GlassHouse Technologies Inc., a leading provider of independent storage services. He can be reached at[email protected]

Due to an increased network threat condition, the Defense Department is blocking all HTML-based e-mail messages and has banned the use of Outlook Web Access e-mail applications, according to a spokesman for the Joint Task Force for Global Network Operations.

An internal message available on the Internet from the Defense Security Service (DSS) states that JTF-GNO raised the network threat condition from Information Condition 5, which indicates normal operating conditions, to Infocon 4 “in the face of continuing and sophisticated threats” against Defense Department networks.

Infocon 4 usually indicates heightened vigilance in preparation for operations or exercises or increased monitoring of networks due to increased risk of attack.

The JTF-GNO mandated use of plain text e-mail because HTML messages pose a threat to DOD because HTML text can be infected with spyware and, in some cases, executable code that could enable intruders to gain access to DOD networks, the JTF-GNO spokesman said.

In an e-mail to Federal Computer Week, a Navy user said that any HTML messages sent to his account are automatically converted to plain text.

The JTF-GNO spokesman declined to say why the command raised the threat level except to say that Infocon levels are adjusted to reflect worldwide social and political events and activities. He said the current threat level does not bar the use of attachments, including Power Point slides used for briefings.

He also declined to tell FCW what other restrictions on e-mail that JTF-GNO has imposed. But a December 2006 newsletter of the Colorado National Guard said that under Infocon 4, Guard members receiving e-mails from any unknown source, including “mail received from unrecognized Department of Defense accounts,” should be viewed as potentially harmful.

The Colorado Guard newsletter also alerted personnel to be vigilant against e-mail “phishing” attempts to gain personal information.

The ban on use of Outlook Web mail will hit thousands of users at Robins Air Force Base, Ga., according to an internal message available on the Internet. The ban on the use of Outlook Web Access “will significantly impact the way we presently conduct business,” due to the fact that that Web mail is the primary means of e-mail access for 4,500 employees at the base, according to the message.

Robins has developed a work-around for these users to access Outlook directly by logging on to government computers with their common access cards, the internal message said.

JTF-GNO raised the DOD network threat level to Infocon 4 in mid-November after an attack on the networks at the Naval War College (NWC) required NWC to take its systems offline. The JTF-GNO spokesman said at the time that the increase in threat conditions had no relation to the attack against NWC"

Interesting tool to fight bugs such as the WMF bugPosted by boss on Wednesday, 04 January 2006 @ 12:02:24 CET (2562 reads)TopicVulnerabilities

Anonymous writes "For those interested, Core FORCE its a free endpoint security software currently in Beta stage. With it users can configure access control permissions to file system objects independently of the operating System's ACLs and security policy enforcement mechanisms.

The default security profiles of IE and FireFox included the package distribution prevented exploitation of the WMF bug through those vectors. Simply because they denied execution of rundll32.exe from within IE or Firefox. The same applies to the MSN Messenger profile submitted to the profiles repository site.

Furthermore you can explicitly configure permissions to deny & log read/exec access to shimgvw.dll system wide or on per application basis.This is functionally equivalent to Microsoft's suggested workaround of unregistering the DLL but the advantage is that it does not matter if some program registers it back or if somehow a program tries to load and execute the DLL in anyway.

NIST is pleased to announce the release of Special Publication 800-68, Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist. The guide has been created to assist IT professionals, in particular Windows XP system administrators and information security personnel, in effectively securing Windows XP Professional SP2 systems.

Learn the five worst security practices in organizationsPosted by cdupuis on Tuesday, 05 April 2005 @ 08:04:53 CEST (2437 reads)TopicVulnerabilities

Regardless of an organization's size, they all face the same security?challenges?keeping intruders away from their private information. However, most companies have a tendency to make the same mistakes. John McCormick details the five worst security practices found in businesses both large and small.

An individual using a single workstation, a small business with two or three PCs connected to the Net through a high-speed cable modem, the team responsible for the security of an enterprise network: Regardless of an organization's size, they all face the same security challenges?keeping intruders away from their private information.

Unfortunately, people tasked with security keep making the same basic mistakes. Since it's once again been a relatively quiet week in the security world, I'm taking this opportunity to list the five worst security practices found in businesses both large and small.

NOTE FROM CLEMENT:Once in a while I come across a product that really get me going and gets me excited again about security.? Lately I ran into such a profuct called PredatorWatch,? it is a great tool to validate your compliance, monitor activities, and become compliant with the CVE.? What is even more interesting is the fact that the CEO is one of the students that I had on one of my CISSP class.? Here is some neat white paper that Gary from PredatorWatch has shared with cccure.org:

A. Proactive Network Security # Do you speak CVEA nice presentation discussing? what CVE's are all about.??Synopsys:The most important information security question you need to answer is ?Do You Speak CVE?? If you do not, then no matter how much you spend on INFOSEC countermeasures, you?ll never fully understand why you are experiencing downtime and successful hacker attacks. Not to mention the regulatory compliance risk you face.

The Common Vulnerabilities and Exposures (CVE)

is a list or dictionary that provides common names for publicly known information security vulnerabilities and exposures. Using a common name makes it easier to share data across separate databases and tools that until now were not easily integrated. This makes CVE the key to information sharing. If a report from one of your security tools incorporates CVE names, you may then quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem.? The CVE is an industry standard funded by the department of Homeland Security and operated by MITRE.

In today?s world, use of information systems has become mandatory for businesses to perform the day to day functions efficiently. Use of Desktop PC?s, Laptops, network connectivity including Internet, email is as essential as telephone at workplace. The employees and networked information systems are most valuable assets for any organization.

The misuse of Information Systems by employees however poses serious challenges to?organizations including loss of productivity, loss of revenue, legal liabilities and other workplace issues. Organizations need effective countermeasures to enforce its appropriate usage policies and minimize its losses & increase productivity. This paper discusses some of the issues related to Information System misuse, resulting threats and countermeasures.? Click on the link below to read this great document.

This web site is not associated directly or indirectly with ISC2, the SANS Institute, ISACA, or other certification authority. The GCFW, CISSP, SSCP, ISSEP, ISSMP, CISA, and CISM are all the property of their respecful owners. The content of this site is provided to you freely due to the generosity of our sponsors.